It is now more than six months with the General Data Protection Regulations (GDPR) in effect now and still many SMEs are inquisitive about it like it is something which is yet to be enforced in the coming time. No doubt, that why GDPR getting so much attention in the global market. It is the globalization of market and integration of it with the internet that makes GDPR a big deal, despite its being the framework of standard regulations that are to be applied in European Union only. GDPR includes some very basic elements that can potentially be the standard data protection law across the globe. Therefore, before discussing its sector-wise impact it is very important to know the obligations and rights of key stakeholders, that deal with personal data, under the GDPR.
It is very important to understand that the GDPR is prescriptive in nature in light of the debate around its being strict and harsh to SMEs. GDPR is prescriptive means that it is basically prescribing the best practices that are needed to be followed by drafting of the privacy policy by businesses of Europe. GDPR is prescriptive on the need for contracts which governs the sharing of personal data of EU citizens in the following three brackets:
- Data Sharing between Co-controllers;
- Processors appointed by Controllers;
- Sub-Processors appointed by Processors. (Data Centres or any kind of support behind the vendor).
______________________________________________________________________
NOTE: Before describing anything related to standard clauses under GDPR, it is important to understand the basic meanings of certain terms and then understand their usage in this article based on the meanings as follows:
Data-Subject refers to an individual person or a natural person identified, directly or indirectly, through an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity. In other words, a data subject is an end user whose personal data can be collected.
Data-Controller, according to the GDPR, is defined as a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing.” For example, a business obtaining customer or employee details, or a school, college or university holding student records.)
The role of a data controller is to determine who shall be responsible for compliance with data protection rules and how data subjects can exercise their rights. Putting it simply, they are the manager of personal data, they instruct the processor. The data controller will decide the purpose for which personal data is required and what personal data is necessary to fulfill that purpose.
A data controller will act on their own autonomy. A party constrained in how they can handle personal data is less likely to be a data controller but could be a data processor.
GDPR defines a Data-Processor as:
“a natural or legal person that processes personal data on behalf of the data controller.”
A data processor would be a separate business entity (whether a company, partnership or a sole trader) serving the interests and carrying out the instructions of the data controller in its processing of the personal data.
The role of a data processor could include storing data, retrieving data, running the payroll for business, carrying out marketing activities, or providing security for data.
PRACTICAL SCENARIO:
X Limited has entered into a contract with Y Limited, providing clear instruction to X Ltd. to send an email, advertising their new range of products.
They provide Y Ltd. with an email template and a spreadsheet of personal email addresses (all obtained with valid GDPR consent).
X Ltd. outline the spreadsheet is only to be used for the purpose of sending this advertising email.
Y Ltd. is bound by instructions of X Ltd.
In this scenario, Y Ltd. is a data processor and X Ltd. is the data controller
______________________________________________________________________
Knowing obligations and rights of Controllers
Out there in the practical life, in European Union, vendors/sellers/suppliers are pushing out for the standard contracts that comply with the GDPR as now all the commercial negotiations related to data sharing is now governed by it and EU controllers are very much concerned about managing risks. As the marketplace is very nascent, guidance and enforcement are much needed. Therefore, it is further important to identify and categorize whom one can share data with/ receive data from, determine GDPR processor obligation and ensure the stability of internal processes. Another thing to know GDPR in its true essence is that the contracts are just a wider part of the GDPR compliance but not the whole GDPR by any means.
Article 5 of the GDPR presents the big picture explaining the core principles behind the standard provisions relating to the protection of personal data as follows:
- Data must be processed lawfully and fairly in a transparent manner and this should be the primary concern of the controller. This principle is the reminder of the significant issues which a stakeholder must provide clearly in the contracts in order to specify responsibilities, process, and liabilities.
- Data Minimisation must be the essence of every privacy policy. In a simplistic manner, it means that the personal data should be processed to the minimum level that is necessary.
- Data must be accurate and must be kept updated. It is one of the clauses which provide a course of the way for the implementation of the right to be forgotten in terms of data collection; as the principle requires that out-of-date should be deleted or changed as quickly as possible.
- Storage limitation should be there in order to limit the duration of identification of the data and source subjected to certain restrictions.
- Security and Integrity of Data provided with an obligation to prevent unauthorized access or control of data by using efficient ethical, technical and organizational methods. The phrase ‘integrity and confidentiality’ is present at multiple places in GDPR and it is there to remind the stakeholders that what has been expected from their data-protection policy.
- The principle of accountability puts it straight that in GDPR a stakeholder in supposed to only comply with the regulations, but the stakeholder has to demonstrate it. Therefore, accountability should be visible explicitly in every contract of the privacy policy.
- There is another principle which is not present in text of Article 5 but has been provided under GDPR through its Article 25 and that is the concept of data-privacy by design and default and the theme behind it is that a stakeholder has to embed the concept of privacy in every word of its privacy policy which deals with the personal data of EU citizens and hence the contract should highlight it as well.
As the principles are known now, one can move forward to understand the letter and spirit of the law that GDPR is enforcing as following:
The GDPR has the specific requirement in terms of the joint controllers or controller-processor/sub-processor arrangements. According to Article 26 of the GDPR, the joint controller relationship is the relationship in which two or more controllers jointly determine purposes and means of processing data. Article 26 requires the joint controllers to identify their compliance responsibilities and the GDPR needs that the data-subject should be aware of these compliances. Therefore, stakeholders have to incorporate the compliances in contracts and policies clearly. The rights and duties in the arrangement with respect to the data-subject must clearly delineate that whose will be liable in the arrangement when data-subject will exercise his/her rights.
Knowing obligations and rights of Processors
The controllers are further obliged to appoint only those Processors that provide them with the guarantee to implement appropriate technical and organizational measures in order to meet the requirements of the GDPR. This means that the controller should undertake a proper due diligence process before the appointment of the Processor. Although GDPR has not prescribed this as the mandatory explicit contractual requirement, but it is always better to cover off the risks by documenting the status in written form especially anything related to the Processor under Article 28 of the GDPR to demonstrate the accountability in commercial contracts. For the purposes of Processors, GDPR has highly specific requirements that should be present in a contract as following:
- The subject-matter of the processing;
- The duration of the processing;
- The purpose of the processing;
- Type of personal data being processed;
- The categories of data subject;
- The obligations and rights of the controller.
Therefore, it means that data processing activities should be laid out in detail that is contracted out to the processor. And even that is also not enough as there are the number of obligations on the processor under Chapter 4 of the GDPR requiring to process data according to the specific instructions of the Controller that are documented in the contract. Again a point to note is that GDPR doesn’t mandate it for stakeholder to cover all such instructions in an initial contract but it is suggested by most of the policy drafters that a stakeholder should include basic instructions for example that who are authorized to give them, to whom do they need to be sent and how quickly they need to be acted on.
The GDPR singles out data transfers in particular as an issue on which a Data Controller must contractually agree to adhere to the instructions of the Controller. Appropriate Confidentiality agreement in respect of persons authorised to process personal data need to be included. The processor has to comply with the security obligations under Article 32 of the GDPR. The Processor also has to comply with the deletion or return requests by the Controller at the end of the contract. It is the first time in EU law that Data Processor will have the direct liability to Data Subjects in relation to certain GDPR data-breaches. As a result, all the parties that are involved in the framework of data collection, processing and sharing have the greater interest in ensuring contractual liability dealt in the way it is most advantageous to them.
Knowing obligations and rights of Sub-Processors
Finally, it is worth mentioning about Sub-Processor also as the GDPR provides in detail about the authorisation regarding appointment of sub-processor under Article 28(4). A Processor cannot appoint the sub-processor without prior specific or general written authorisation from the controller. The controller gives the general written authorisation to the processor and it has to update the controller about any intended changes in the instructions delivered to sub-processor and further give controller the opportunity to object it. It is needed in the contract that a controller should provide specifically discuss that how the notification and approval processes will work under general authorisation. The Processor has to include same obligations for sub-processor that apply on him under the contract with the Controller. Under the GDPR, it is the processor who remains liable to the Controller for data-breaches making the allocation of liability a vital requirement.
GDPR compliance is about more than just complying with a letter of the law and regulators are going to be looking at whether the stakeholder is complying with the spirit of the law.
In order to ensure the compliance, the controller needs to ensure flow down in contracts where the controller should have the obligation which a processor or sub-processor will assist with and the contract must delineate these obligations. The ICO draft guidelines provide a well-developed checklist to ensure the proper drafting of a clause related to the controllers’ obligation.
The next blog in the GDPR series will deal with the provisions of GDPR that provides with some specific instructions related to drafting of the privacy policies and private-contracts.
Following are suggested read to understand the technicalities of obligations and rights of data-subjects, Controllers and Processors in an elaborative manner:
https://www.porterdodson.co.uk/blog/gdpr-who-is-the-data-controller-who-is-the-data-processor-and-what-is-the-lawful-basis
https://www.wsiworld.com/blog/responsibilities-of-a-controller-processor-and-data-protection-officer-according-to-gdpr/
https://www.dporganizer.com/gdpr-data-controller-vs-processor/
https://termsfeed.com/blog/gdpr-data-controller-vs-processor/
To read the GDPR Regulations, click here.